A malicious campaign that started last summer is once again targeting Uyghur activist groups in China. The latest developments in this year-long fight is a new variant of the documents used to target the activists earlier this year.
F-Secure reported that the variant was submitted to VirusTotal April 11 in China. The malicious email attachment uses an author tag of IUHRDF, which could be the International Uyghur Human Rights & Democracy Foundation. The payload itself is the same, a backdoor that targets Max OS X, and it targets vulnerabilities in Microsoft Word.
This latest attack has a history, as it’s tied to the “Luckycat” attacks that were discovered over a year ago by Kaspersky Lab and Trend Micro targeting Tibetan activists as well as people connected to military research, and aerospace and energy companies in India and Japan. Unlike this recent attack, the earliest version of the campaign targeted Java vulnerabilities.
While the payload remains the same, the method of infection changes depending on the latest software vulnerabilities. In June 2012, the person(s) controlling the campaign targeted activists by embedding a malicious JPEG photo and OS X application within a ZIP file.
Additional levels of attack against the activists also include malicious Android packages (APK), which were delivered last month. This twist targeted both Windows and Mac users. That campaign referenced the “World Uyghur Congress.” Shortly before Android, the attackers focused on PDF vulnerabilities.
“Although some of these attacks were observed during 2012, we’ve noticed a significant spike in the number of attacks during Jan 2013 and Feb 2013, indicating the attackers are extremely active at the moment,” Kaspersky’s Costin Raiu said of the previous version of this latest attack.
“With these attacks, we continue to see an expansion of the APT capabilities to attack Mac OS X users. In general, Mac users operate under a false sense of security which comes from the years old mantra that ‘Macs don’t get viruses’…”